Quick and dirty rule for isolate a wifi access point from LAN + allow Internet
-
I setup a VLAN to serve a wifi AP for my guests. I need to separate their traffic from my internal LAN so, basically, I want to allow these users to connect to the Internet an NOT see my LAN.
conf:
Internet: PPP WAN Interface
LAN: 192.168.1.0/24
VLAN: 192.168.10.0/24 (DHCP server enabled).firewall rule:
action: allow
interface: VLAN10
protocol: all
source: VLAN10 subnet
destination: WAN interface OR WAN subnet?Do I need to setup an Advanced option for Gateway?
-
Just create rule that says !lan net,
example
-
What John said… An inverse (not) firewall rule on the WAP interface will allow all traffic heading to any network/host that isn't your LAN net.
-
Could someone attack the pfSense box from the AP/WLAN interface? That rule protects the LAN; what about the firewall itself?
-
It can be easiest and clearest to put some block rules first on your VLAN10-WLAN interface.
0) Pass protocol TCP/UDP source all, destination VLAN10address port DNS (53) - let the VLAN10 users get DNS from pfSense- Block protocol all, source all, destination VLAN10address - block any attempt to connect to stuff on the firewall (webGUI, ssh…)
- Block protocol all, source all, destination LANnet - block connects to LAN devices, including pfSense LANaddress
- Pass whatever you like - e.g. a general pass all rule - pass protocol all, source all, destination all
Note: You can use source VLAN10net in the rules, it really amounts to the same thing as source all in this case, since anything arriving on VLAN10 interface will have a VLAN10net IP. That would be different if you had other subnets on other routers behind VLAN10, but you don't.
Edit: 3 Jan 2014, add rule 0 - thanks Derelict, I keep forgetting little bits like when posting!!!
-
I sometimes just create an rfc1918 alias containing 192.168.0.0/16 172.16.0.0/12 and 10.0.0.0/8. Then:
pass icmp echo req from lan net to lan address
pass dns from lan net to dns_server_ip
pass from lan net to ! rfc1918
(default deny any any)If I have lots of different guest interfaces I might use floating rules for DNS traffic, etc.
Then guests can ping the gateway should they need to but can't get to any other private LANs I might have configured be they OpenVPN, test, whatever. Nor can they get at the webConfigurator or ssh port for pfSense on LAN address.
This works as long as I don't have public IPs on the private side of the firewall. IPv6 is, of course, a different subject.
-
Hi phil.davis,
your # 1) rule correctly blocks the WebGUI, but also blocks Internet access. This AP is needed to allow my guests to access Internet (and only Internet; not my LAN, not the WebGUI, not the pfsense machine). This thing is drivin' me crazy :'( ;)
-
Hi phil.davis,
your # 1) rule correctly blocks the WebGUI, but also blocks Internet access.
If the LAN you're looking to isolate is using pfSense as its DNS forwarder, you'll need to add:
Pass TCP/UDP source * * dest VLAN10 Address DNS (53)
Before the "1) Block protocol all, source all, destination VLAN10address - block any attempt to connect to stuff on the firewall (webGUI, ssh…)" rule.
-
If the LAN you're looking to isolate is using pfSense as its DNS forwarder, you'll need to add:
Pass TCP/UDP source * * dest VLAN10 Address DNS (53)
Before the "1) Block protocol all, source all, destination VLAN10address - block any attempt to connect to stuff on the firewall (webGUI, ssh…)" rule.
Post updated - thanks for pointing out my overzealous blocking advice.